WO2015003503A1 - 一种提高信息安全性的方法、终端设备及网络设备 - Google Patents
一种提高信息安全性的方法、终端设备及网络设备 Download PDFInfo
- Publication number
- WO2015003503A1 WO2015003503A1 PCT/CN2014/072755 CN2014072755W WO2015003503A1 WO 2015003503 A1 WO2015003503 A1 WO 2015003503A1 CN 2014072755 W CN2014072755 W CN 2014072755W WO 2015003503 A1 WO2015003503 A1 WO 2015003503A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- terminal device
- network
- information
- encryption result
- encryption
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 49
- 238000004891 communication Methods 0.000 claims description 26
- 238000000605 extraction Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 28
- 230000006399 behavior Effects 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 4
- 230000003542 behavioural effect Effects 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/71—Hardware identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
Definitions
- the present invention relates to the field of electronic information technology, and in particular, to a method, a terminal device and a network device for improving information security.
- terminal devices can implement many network services through installed applications, such as third-party applications that are currently commonly used.
- IMEI International Mobile Equipment Identity, an international mobile equipment identification another 1 J Code
- IMSI International Mobile Subscriber Identity, international mobile subscriber identity
- the identification code is used as the identifier of the user, so that the terminal device can stably use the interface between the application and the network to communicate with the server on the network side, thereby implementing the online function of the application.
- the terminal device frequently reports the identification code when accessing the interface between the application and the network, and some devices on the network can analyze the identification code reported by the user through the terminal device. Track and record the activity and behavior of users using the app. For example: Users often use the application installed on the smartphone, application B, and the online function of the terminal device using these applications needs to report the identification code, some on the network side.
- the device can determine that the application terminal A and the application B are the same terminal device according to the identification code reported by the terminal device, and can read the communication when the terminal device uses the application program A and the application program B on the network side server. Record, and can pass There are many common ways to derive the behavioral contours of users who use this terminal device.
- Profile the final identity of the user can be derived.
- the user's true identity information can be easily exploited by malicious users once it is compromised, thereby damaging the user's personal privacy.
- the embodiments of the present invention provide a method, a terminal device, and a network device for improving information security, which can prevent the device on the network side from deducing the real identity information of the user to some extent, thereby preventing the user's real identity information from being leaked, thereby protecting the user. Personal privacy.
- an embodiment of the present invention provides a method for improving information security, which is used in a terminal device, including:
- the terminal device acquires a key, an identifier of the terminal device, and identifier information of one or more applications in the terminal device, where identifier information of different applications in the terminal device are different from each other, and the terminal
- the identification code of the device includes: International Mobile Equipment Identity (IME I) and/or International Mobile Subscriber Identity (IMS I);
- the encryption result is used to indicate information required by the terminal device to access the network and perform the identification of the access network;
- the method further includes: the key, an identifier of the terminal device, and identifier information of one or more applications in the terminal device Reporting to the network, the network includes a network device or a network server.
- the preset The encryption algorithm is an algorithm based on a one-way function.
- an embodiment of the present invention provides a method for improving information security, which is used in a network device, including:
- the network device Obtaining, by the network device, an original encryption result used when an unknown terminal device accesses the network, where the original encryption result is identifier information of an application in the unknown terminal device by the unknown terminal device, The key of the unknown terminal device and the identification code are generated, and the original encryption result is used to indicate information required by the terminal device to access the network and perform another authentication of the access network; generating each terminal device Corresponding encryption result, the security information includes parameters required to generate an encryption result corresponding to each terminal device;
- the security information for the terminal device that is reported to the network device includes a key, an identifier, a preset encryption algorithm, and the terminal device.
- Identification information of one or more applications includes: an International Mobile Equipment Identity (IME I) of the terminal device and/or an International Mobile Subscriber Identity (IMS I);
- the information generation corresponding to the encryption result of each terminal device includes: generating, by using the one-way function-based algorithm, the encryption corresponding to each terminal device by using the key of each terminal device, the identification code, and the identification information of one or more application programs in the terminal device result.
- IME I International Mobile Equipment Identity
- IMS I International Mobile Subscriber Identity
- an embodiment of the present invention provides a terminal device, including: An information extraction module, configured to acquire a key, an identifier of the terminal device, and identifier information of one or more applications in the terminal device, where identifier information of different applications in the terminal device are different from each other
- the identification code of the terminal device includes: International mobile device identification code
- IMEI International Mobile Subscriber Identity
- IMSI International Mobile Subscriber Identity
- an encryption module configured to generate, according to the identification information of the application in the one or more applications, the key and the identifier of the terminal device, by using a preset encryption algorithm to generate an identifier corresponding to the application
- the result of the encryption the encryption result is used to indicate information required by the terminal device when accessing the network and performing identification authentication of the access network;
- a communication module configured to access the network by using the encryption result corresponding to the application when the terminal device runs the application.
- the communication module is further configured to use the key, an identifier of the terminal device, and one or more applications in the terminal device
- the identification information of the program is connected to the network, and the network includes a network device or a network server.
- the cryptographic module is specifically configured to use, according to the identification information of an application, the key and the identifier of the terminal device, by using The algorithm of the one-way function generates an encryption result corresponding to the one application.
- an embodiment of the present invention provides a network device, including:
- a receiving module configured to acquire an original encryption result used when an unknown terminal device accesses the network, where the original encryption result is identifier information of the application in the unknown terminal device by the unknown terminal device, The key and the identification code of the unknown terminal device are generated, and the original encryption result is used to indicate that the terminal device is accessing the network and performing an access network.
- the information required for the authentication of the J is generated; the prepared security information generates an encryption result corresponding to each terminal device, and the security information includes parameters required to generate an encryption result corresponding to each terminal device;
- the identification module is configured to determine that the terminal device is the unknown terminal device if the encryption result corresponding to the terminal device is the same as the original encryption result in the encryption result generated by the network device.
- the security information that is reported to the terminal device of the network device includes a key, an identifier, a preset encryption algorithm, and one of the terminal devices.
- the identifier of the terminal device includes: an International Mobile Equipment Identity (IME I) and/or an International Mobile Subscriber Identity (IMS I) of the terminal device;
- the processing module is configured to generate an encryption result corresponding to each terminal device by using a one-way function-based algorithm by using a key of each terminal device, an identifier, and identifier information of one or more applications in the terminal device.
- the method for improving information security, the terminal device, and the network device provided by the embodiment of the present invention, the terminal device, capable of generating an encryption result corresponding to each application, and an encryption result used when an application running by the terminal device accesses the network
- the encryption result used when another application accesses the network is different, so that the information sent by the terminal device to the network to identify the terminal device when running different applications is different.
- FIG. 1 is a flow chart of a method for improving information security according to an embodiment of the present invention
- FIG. 2 is another flow chart of a method for improving information security according to an embodiment of the present invention.
- FIG. 3 is a flowchart of another method for improving information security according to an embodiment of the present invention.
- FIG. 4 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
- FIG. 5 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
- FIG. 6 is a schematic structural diagram of a computing node according to an embodiment of the present disclosure.
- FIG. 7 is a schematic structural diagram of a storage node according to an embodiment of the present invention.
- An embodiment of the present invention provides a method for improving information security. As shown in FIG. 1 , the method includes: 101. A terminal device acquires a key, an identifier of the terminal device, and one or more applications of the terminal device. Identification information.
- the identification information of different applications in the terminal device are different from each other, and the identifier of the terminal device may include: IMEI (International Mobile Equipment Identity) and/or IMSI (International Mobile Subscriber Identity, International Mobile User) Identifier;).
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity, International Mobile User
- the key corresponding to the terminal device may be automatically after the terminal device is powered on.
- the generated key can also be a key that is sent by user input or other device.
- the identification information of the application may be the package name of the application, the certificate information carried by the application, the body key in the certificate information carried by the application or the signature in the certificate and/or the UID (User Identification) of the application. And other information.
- the encryption result is used to indicate information required by the terminal device when accessing the network and performing identification authentication of the access network.
- the network includes devices that can perform data interaction with the terminal device through the network, such as a base station, a gateway, a data server, and the like.
- the terminal device can send information for identifying the terminal device to the network, for example, an APP (Application, third-party application) installed on the smart phone can utilize an API provided by an operating system installed on the smart phone. (Application Programming Interface) reads the device information of the smart phone.
- the APP Application Programming Interface
- the device information can be used as the identification device for the smart phone.
- the information is imported into the data block with the transmission and sent to the network through the communication module of the smart phone, so that the information for identifying the terminal device is sent to the network.
- the server on the network side for example, the server of the APP provider
- the registration of the terminal device on the network can be implemented according to the information used to identify the terminal device, thereby ensuring that the terminal device can stably communicate with each other through the interface between the application and the server.
- the server on the network side communicates.
- the preset encryption algorithm may also be an ordinary function algorithm.
- the terminal device may perform weight calculation on each parameter participating in the encryption calculation, and obtain a weight calculation result, and then calculate the weight.
- the result is converted into a string code of the same form as IMEI or IMSI by a hex conversion technique, and then the code having the same length as IMEI or IM SI is intercepted as an encryption result;
- the preset encryption algorithm can also be a one-way function based algorithm such as: HASH function. and And, the generated encryption result corresponds to an application in the terminal device.
- ⁇ - INFO indicates the identification information of the application
- V indicates the encryption result
- HASH indicates a one-way function, which can be expressed in various functional forms such as MD5, SHA-1, etc. in practical applications. Due to the unidirectional nature of the one-way function, it is difficult to inversely calculate the result after the encryption calculation, and the reverse analysis can be used to crack the calculation. Therefore, the unidirectional function is used to perform the encryption calculation. Can improve the security of information encryption.
- Value represents the identification code of the terminal device
- K represents the key generated by the terminal device
- 4 represents a logical operation method well known to those skilled in the art, such as string connection, bitwise XOR, superposition operation, and the like.
- 4 represents a specific logical operation mode of each parameter in the preset encryption algorithm.
- the symbol indicating the logical operation mode may also be a custom symbol such as Q, ®, or ®. It can also be a logical operation symbol commonly used in the field, such as @,
- the encryption result of the access network used by the terminal device when running an application is different from the encryption result of the access network used by the terminal device when running another application.
- IMEI and IMSI are stored and transmitted in the form of a string in the actual application.
- the network can use the identification code to register, record, etc. the terminal device on the server. The specific application process.
- the terminal device can use the encryption result as the identification code of the actual application, and access the network by using the encryption result.
- the encryption result as the identification code of the actual application
- the terminal device can obtain the encrypted result V, and V is also stored in the terminal device in the form of a character string.
- the terminal device can use the V instead of the identification code to report to the network, so that the network segment uses the V reported by the terminal device as a character string for identifying the terminal device, thereby realizing the utilization of the terminal device. V access to the network.
- the terminal device reported in the actual application is actually a string for identifying the terminal device, so the encryption result V can be sent to the network in the same manner as the above JMEI and IMSI;
- the actual application also deals with a string of characters for identifying the terminal device. Therefore, after receiving the V, the network can process the V in the same manner as the IMEI and the IMSI, so that the terminal device uses the encryption result V.
- the network can process the V in the same manner as the IMEI and the IMSI, so that the terminal device uses the encryption result V. Into the network.
- the encryption result of the access network used by the terminal device when running different applications is different, for example: the terminal device is running the application A, and when using the online function of the application A, the The encryption result V A corresponding to the application A accesses the network; when the application B is run, and when the online function of the application B is used, the encryption result V B corresponding to the application B can be accessed to the network; The application C, and when using the online function of the application C, can access the network by using the encryption result V c corresponding to the application C; and in the embodiment, V A , V B and V c are different from each other .
- the terminal device is capable of generating an encryption result corresponding to each application, and the encryption result used by one application running by the terminal device to access the network is accessed by another application.
- the encryption result used by the network is different for the device.
- the behavior profile avoids the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the embodiment further provides a method for improving information security. As shown in FIG. 2, the method includes:
- the terminal device acquires a key, an identifier of the terminal device, and the terminal device. Identification information for one or more applications.
- the identification information corresponding to different applications in the terminal device are different from each other.
- the terminal device can also obtain identification information of each application.
- the identification information of the application may be a Package Name of an application well known to those skilled in the art, certificate information carried by the application, a subject key in the certificate information carried by the application, or a signature in the certificate and/or Or information such as the UID of the application.
- the identification information of different applications in the terminal device are different from each other.
- the Package Name, UID, certificate information, and the like of any two applications in the terminal device are different from each other.
- I represents a preset fixed value
- the identifiers such as IMEI and IMSI reported by the terminal device to the network are often 15-digit decimal numbers, and specifically stored in the terminal device in the form of binary numbers, for example, 15
- the decimal number of the bit is converted to a binary string of the specified length, such as a 45-bit binary string.
- the terminal device may intercept a binary string of a specified length, such as 45 bits, from the encrypted result, and convert the obtained binary string of the specified length into a 15-digit decimal number. The number is used to report the 15-digit decimal number to the network as a string for identifying the terminal device.
- the network side includes a network device or a network server.
- the terminal device may perform 203, that is, 203 may be executed simultaneously with 202, or 203 may be executed after 202.
- the terminal device may report the information as security information to the network, and the network device may report the terminal device.
- the security information is stored in a storage device that can ensure information security.
- the network can store the security information reported by the terminal device in a third-party database with high reliability or free access before being officially authorized. For example: the database of the network supervision department, the backup database of the operator, and so on.
- the terminal device is running the application A, and when using the online function of the application A, can access the network by using the encryption result V A corresponding to the application A; running the application B, and using the application B when the online features can be utilized with application B corresponding to the network access encryption result V B; C running application, and when using the C-line application functions may be utilized with the encryption result corresponding to application C V c accesses the network; and in the present embodiment, V A , V B and V c are different from each other.
- the terminal device is capable of generating an encryption result corresponding to each application, and the encryption result used by one application running by the terminal device to access the network is accessed by another application.
- the encryption result used by the network is not
- the information of the end devices is different. Compared with the prior art, because the information used by the terminal device to identify the terminal device is different when the different applications are running, it is difficult for the network to analyze the communication records of the different applications by using the same terminal device.
- the behavior profile avoids the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the network device in this embodiment may be a device that can communicate with the terminal device in the network, and the network device stores security information of at least two terminal devices, where the security information of the terminal device includes a key, an identifier, a preset encryption algorithm, and identifier information of one or more application programs in the terminal device, where the identifier of the terminal device includes: the terminal device International Mobile Equipment Identity (IMEI) and/or International Mobile Subscriber Identity (IMSI).
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- the method may include:
- the network device acquires an original encryption result used when an unknown terminal device accesses the network.
- the original encryption result is generated by the unknown terminal device for the identification information of the application in the unknown terminal device, using the key and the identification code of the unknown terminal device.
- the preset encryption algorithm is a one-way function-based algorithm, and the original encryption result is used to indicate information required by the terminal device to access the network and perform identification authentication of the access network.
- the terminal device accesses the network by using the result of the encryption calculation performed by the terminal device, for example, the original encryption result used by the terminal device unknown to the network in this embodiment.
- the network device does not record the correspondence between the encryption result generated by the terminal device and the one terminal device. Therefore, the network device cannot identify the terminal device that accesses the network, and the terminal device is an unknown terminal device for the network device. The information generates an encryption result corresponding to each terminal device.
- the security information includes parameters required to generate an encryption result corresponding to each terminal device.
- the security information may include security information for the terminal device reported to the network device, including a key, an identification code, a preset encryption algorithm, and an identifier of one or more applications in the terminal device.
- the identifier of the terminal device includes: an International Mobile Equipment Identity (IMEI) and/or an International Mobile Subscriber Identity (IMSI) of the terminal device. Therefore, in this embodiment, 302 may be specifically implemented to: generate each terminal device by using the one-way function-based algorithm by using a key of each terminal device, an identification code, and identification information of one or more application programs in the terminal device. Corresponding encryption result.
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- the terminal device uses the key of the terminal device, the identification code, and the identification information of the application program as parameters, the encryption result generated by the preset encryption algorithm, and uses the terminal device.
- the generated encryption result is connected to the network, thereby avoiding the IMEI and IMSI accessing the network directly using the terminal device in the prior art.
- the security information stored in the network device includes parameters of each terminal device and a preset identifier, and also stores presets used by each terminal device to generate an encryption result. Encryption Algorithm. Therefore, the network device can sequentially generate the encryption result corresponding to each terminal device by using the security information corresponding to each stored terminal device.
- the security information corresponding to the terminal device stored in the network device may further include APP_INFO a , APP INFOb and APP_ INFO c , so that the network device can generate and V a , the same encryption results V b or V c
- the terminal device is capable of generating an encryption result corresponding to each application, and the encryption result used by one application running by the terminal device to access the network is accessed by another application.
- the encryption result used by the network is different for the device.
- the information used by the terminal device to identify the terminal device is different when the different applications are running, it is difficult for the network to analyze the communication records of the different applications by using the same terminal device. Behavioral contours. If the terminal device needs to obtain the correct terminal device according to the information traced by the terminal device for identifying the terminal device, the network device needs to obtain security information including parameters such as a key of the terminal device, such as a key, a preset identifier, and the like.
- the same preset encryption algorithm as the terminal device can correctly identify the terminal device that accesses the network, so that the device that does not have the security information on the network is difficult to trace the correct terminal device, thereby avoiding the device derivation on the network side.
- the user's real identity information is prevented, and the user's real identity information is prevented from being leaked, thereby protecting the user's personal privacy.
- the embodiment of the present invention provides a terminal device 40 for improving information security.
- the terminal device 40 may include:
- the information extraction module 41 is configured to acquire a key, an identifier of the terminal device, and identifier information of one or more applications in the terminal device.
- the identification information of different applications in the terminal device are different from each other, and the identification code of the terminal device includes: an International Mobile Equipment Identity (IMEI) and/or an international mobile subscriber identity (IMSI).
- IMEI International Mobile Equipment Identity
- IMSI international mobile subscriber identity
- the encryption module 42 is configured to generate, by using a preset encryption algorithm, an identifier of the application in the one or more applications, by using the key and the identifier of the terminal device, by using a preset encryption algorithm. Corresponding encryption result.
- the encryption result is used to indicate information required by the terminal device to access the network and perform identification authentication of the access network.
- the encryption module 42 is specifically configured to: generate, according to the identification information of an application, the identifier corresponding to the terminal device, by using a one-way function-based algorithm to generate an identifier corresponding to the application. Encrypted result.
- the communication module 43 is configured to access the network by using the encryption result corresponding to the application when the terminal device runs the application.
- the communication module 43 is further configured to upload the key, the identifier of the terminal device, and the identifier information of one or more applications in the terminal device to the network.
- the network side includes a network device or a network server.
- the terminal device for improving information security can generate an encryption result corresponding to each application, and an encryption result used by one application running by the terminal device to access the network and another application access network
- the encryption results used are different and the information is different.
- the information used by the terminal device to identify the terminal device is different when the terminal device runs different applications, it is difficult for the network terminal to analyze the communication record of the different terminal using the same terminal device to analyze the user's communication record.
- the behavior profile avoids the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the network device 50 for improving information security may include: The receiving module 51 is configured to obtain an original encryption result used when an unknown terminal device accesses the network, where the original encryption result is an identification information of an unknown terminal device for an application in the unknown terminal device, and the unknown terminal device is utilized.
- the original encryption result is generated by the key and the identification code, and is used to indicate information required by the terminal device when accessing the network and performing identification authentication of the access network.
- the security information of the terminal device includes a key, an identification code, a preset encryption algorithm, and identifier information of one or more applications in the terminal device that are reported by the terminal device to the network device.
- the identifier of the terminal device includes: an international mobile device identifier IMEI of the terminal device and/or an international mobile subscriber identity IMSI.
- the security information of the device generates an encryption result corresponding to each terminal device, and the security information includes parameters required to generate an encryption result corresponding to each terminal device.
- the identification module 53 is configured to determine that the terminal device is the unknown terminal device if the encryption result corresponding to the terminal device is the same as the original encryption result in the encryption result generated by the network device.
- the security information of the terminal device that is reported to the network device includes a key, an identifier, a preset encryption algorithm, and identifier information of one or more applications in the terminal device, where the identifier of the terminal device includes : an International Mobile Equipment Identity (IMEI) and/or an International Mobile Subscriber Identity (IMSI) of the terminal device.
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- the processing module 52 is configured to generate, by using a one-way function-based algorithm, an encryption of each terminal device by using a key of each terminal device, an identifier, and identifier information of one or more application programs in the terminal device. result.
- the terminal device Since the terminal device is capable of generating an encryption result corresponding to each application, and the encryption result used when one application running by the terminal device accesses the network is different from the encryption result used when another application accesses the network, the terminal is made The information sent by the device to the network to identify the terminal device when running different applications is different. Relative to the prior art Different information makes it difficult for the network to analyze the user's behavior profile by using the intersection of the communication records of the same terminal device running different applications.
- the network device for improving information security provided by the embodiment of the present invention can obtain the correct terminal device according to the source information for identifying the terminal device sent by the terminal device, because the network device acquires the key of the terminal device, such as a key.
- the security information of the parameters such as the pre-set identifier and the same preset encryption algorithm as the terminal device can correctly identify the terminal device that accesses the network, so that the device with no security information on the network is difficult to trace.
- the correct terminal device prevents the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the embodiment of the present invention further provides a computing node 60.
- the computing node 60 can be used for a terminal device.
- the computing node 60 includes: a first processor 61, a first communication interface 62, and a first memory 63.
- a first bus 64, the first processor 61, the first communication interface 62 and the first memory 63 complete communication with each other through the first bus 64, and the first memory 63 is used for storing
- the computing node 60 needs to store data during the running process, where: the first processor 61 is configured to acquire a key, an identifier of the terminal device, and the terminal device by using the first communication interface 62. Identification information for one or more applications.
- the identification information of different applications in the terminal device are different from each other, and the identifier of the terminal device includes: an International Mobile Equipment Identity (IMEI) and/or an International Mobile Subscriber Identity (IMSI).
- IMEI International Mobile Equipment Identity
- IMSI International Mobile Subscriber Identity
- the first processor 61 is further configured to generate, by using a preset encryption algorithm, the identification information of the application in the one or more applications by using the key and the identifier of the terminal device. The encryption result corresponding to the application.
- the encryption result is used to indicate information required by the terminal device when accessing the network and performing identification authentication of the access network.
- the preset encryption algorithm may be an algorithm based on a one-way function.
- the first processor 61 is further configured to access the network by using the encryption result corresponding to the application when the terminal device runs the application.
- the first processor 61 is further configured to use the first communication interface 62 to identify the key, the identifier of the terminal device, and an identifier of one or more applications in the terminal device.
- the information is reported to the network, and the network includes a network device or a network server.
- the first processor 61 is specifically configured to generate, by using the key and the identifier of the terminal device, an encryption corresponding to the one application by using an algorithm based on a one-way function for identification information of an application. result.
- the computing node for improving information security can generate an encryption result corresponding to each application, and an encryption result used by one application running by the terminal device to access the network and another application access network
- the encryption results used are different and the information is different.
- the behavior profile avoids the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the embodiment of the present invention further provides a storage node 70, which can be used for a network device. As shown in FIG.
- the storage node 70 includes: a second processor 71, a second communication interface 72, and a second memory 73. a second bus 74, the second processor 71, the second communication interface 72, and the second memory 73 complete communication with each other through the second bus 74, and the second memory 73 is used for storing
- the storage node 70 needs to store data during operation, where:
- the second memory 73 is further configured to store security information reported by the terminal device.
- the security information may include a key, an identifier, a preset encryption algorithm, and identifier information of one or more applications in the terminal device, where the identifier of the terminal device includes: an international mobile device of the terminal device Identification Code (IMEI) and/or International Mobile Subscriber Identity (IMSI).
- IMEI international mobile device of the terminal device Identification Code
- IMSI International Mobile Subscriber Identity
- the second processor 71 is configured to obtain an original encryption result used when an unknown terminal device accesses the network.
- the original encryption result is generated by the unknown terminal device for the identification information of the application in the unknown terminal device, and is generated by using the key and the identification code of the unknown terminal device, and the original encryption result is used to indicate that the terminal device is in the access network. And the information needed to access the network to identify the other 'J certification.
- the second processor 71 is further configured to generate, by using security information of each terminal device stored in the second memory 73, an encryption result corresponding to each terminal device, where the security information includes generating corresponding to each terminal device. The parameters required to encrypt the results.
- the second processor 71 is further configured to: if the encryption result corresponding to the terminal device is the same as the original encryption result in the encryption result generated by the network device, determine that the terminal device is the unknown terminal device.
- the second processor 71 may be specifically configured to generate, by using a key of each terminal device, an identifier, and identifier information of one or more applications in the terminal device, each terminal device is generated by using a one-way function-based algorithm. Encrypted result.
- the terminal device is capable of generating an encryption result corresponding to each application, and the encryption result used by one application running by the terminal device to access the network is connected with another application.
- the information used to encrypt the terminal device when entering the network is different.
- the information used by the terminal device to identify the terminal device is different when the terminal device runs different applications, it is difficult for the network terminal to analyze the communication record of the different terminal using the same terminal device to analyze the user's communication record. Behavioral contours.
- the network device needs to obtain the security including parameters such as a key of the terminal device, such as a key, a preset identifier, and the like.
- Information and through the same preset encryption algorithm as the terminal device, can correctly identify the terminal device accessing the network, so that the network does not have
- the device with the security information is difficult to trace the correct terminal device, thus preventing the device on the network from deriving the user's real identity information, preventing the user's real identity information from being leaked, thereby protecting the user's personal privacy.
- the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Power Engineering (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Telephone Function (AREA)
Abstract
本发明实施例公开了一种提高信息安全性的方法、终端设备及网络设备,涉及电子信息技术领域,能够防止了用户的真实身份信息被泄露,从而保护用户的个人隐私。本发明的方法包括:终端设备获取密钥、终端设备的识别码和终端设备中一个或多个应用程序的标识信息,终端设备中的不同应用程序的标识信息互不相同,终端设备的识别码包括:国际移动设备识别码IMEI和/或国际移动用户识别码IMSI;针对一个应用程序的标识信息,利用密钥和终端设备的识别码,通过预设的加密算法生成与这一个应用程序相对应的加密结果;当终端设备运行这一个应用程序时,利用与这一个应用程序相对应的加密结果接入网络。本发明适用于保护接入网络的终端设备的信息安全。
Description
一种提高信息安全性的方法、 终端设备及网络设备 本申请要求于 2 01 3 年 7 月 8 日提交中国专利局、 申请号为 2 01 3 1 028 39 1 2. X , 发明名称为 "一种提高信息安全性的方法、 终端设 备及网络设备" 的中国专利申请的优先权, 其全部内容通过引用结合 在本申请中。
技术领域
本发明涉及电子信息技术领域, 尤其涉及一种提高信息安全性的方 法、 终端设备及网络设备。
背景技术
随着网络技术的发展, 网络可以提供的网络业务越来越丰富, 目前终 端设备能够通过所安装的应用程序, 比如目前常用的第三方应用, 实现诸 多网络业务。 在终端设备通过端口访问或是直接访问网络端的服务器时, 上才艮终端设备的 IMEI ( International Mobile Equipment Identity, 国际移动 设备识另1 J码 ) 或 IMSI ( International Mobile Subscriber Identity, 国际移动 用户识别码)等识别码作为用户的标识, 以便于终端设备可以稳定的使用 各个应用程序与网络端的接口与网络端的服务器进行通信,从而实现应用 程序的在线功能。
但是, 随着终端设备上安装的应用逐渐增多, 终端设备在访问不同的 应用程序与网络端的接口时, 会频繁地上报识别码, 而网络端的一些设备 可以通过分析用户通过终端设备上报的识别码,追踪并记录用户使用应用 的活动情况以及行为习惯, 例如: 用户经常使用智能手机上安装的应用程 序入、 应用程序 B , 并且终端设备使用这些应用程序的在线功能需要上报 识别码,网络端的一些设备则可以根据终端设备上报的识别码确定使用应 用程序 A、 应用程序 B的是同一台终端设备, 并可以在网络端的服务器读 取这一台终端设备使用应用程序 A、 应用程序 B时的通信记录, 并可以通
过许多常用的手段推导出使用这一台终端设备的用户的行为轮廓
( Profile ) , 最终可以推导出用户的真实身份信息。 而用户的真实身份信 息一旦泄露就很容易被恶意利用, 从而损害用户的个人隐私。
发明内容
本发明的实施例提供一种提高信息安全性的方法、终端设备及网络设 备, 能够一定程度上避免网络端的设备推导出用户的真实身份信息, 防止 了用户的真实身份信息被泄露, 从而保护用户的个人隐私。
本发明的实施例釆用如下技术方案:
第一方面, 本发明的实施例提供一种提高信息安全性的方法, 用于一 种终端设备, 包括:
所述终端设备获取密钥、所述终端设备的识别码和所述终端设备中一 个或多个应用程序的标识信息,所述终端设备中的不同应用程序的标识信 息互不相同, 所述终端设备的识别码包括: 国际移动设备识别码 ( IME I ) 和 /或国际移动用户识别码 ( IMS I );
针对所述一个或多个应用程序中的应用程序的标识信息,利用所述密 钥和所述终端设备的识别码,通过预设的加密算法生成与所述应用程序相 对应的加密结果,所述加密结果用于表示所述终端设备在接入网络和进行 接入网络的识另 'J认证时所需的信息;
当所述终端设备运行所述应用程序时,利用所述与所述应用程序相对 应的加密结果接入网络。 结合第一方面, 在第一方面的第一种可能的实现方式中, 还包括: 将 所述密钥、所述终端设备的识别码和所述终端设备中一个或多个应用程序 的标识信息上报至所述网络端, 所述网络端包括网络设备或网络端服务 器。 结合第一方面, 在第一方面的第二种可能的实现方式中, 所述预设的
加密算法为基于单向函数的算法。 第二方面, 本发明的实施例提供一种提高信息安全性的方法, 用于一 种网络设备, 包括:
所述网络设备获取未知的终端设备接入网络时使用的原始加密结果, 所述原始加密结果是由所述未知的终端设备针对所述未知的终端设备中 的应用程序的标识信息, 利用所述未知的终端设备的密钥和识别码生成 的,所述原始加密结果用于表示所述终端设备在接入网络和进行接入网络 的识另 'J认证时所需的信息; 生成各个终端设备对应的加密结果,所述安全信息包括了生成各个终端设 备对应的加密结果时所需的参数;
如果在所述网络设备所生成的加密结果中,有终端设备对应的加密结 果与所述原始加密结果相同, 则确定该终端设备为所述未知的终端设备。 结合第二方面, 在第二方面的第一种可能的实现方式中, 用于上报给 所述网络设备的终端设备的安全信息包括密钥、 识别码、预设的加密算法 和所述终端设备中一个或多个应用程序的标识信息,所述终端设备的识另 'J 码包括: 所述终端设备的国际移动设备识别码 ( IME I ) 和 /或国际移动用 户识别码 ( IMS I ); 信息生成各个终端设备对应的加密结果包括: 利用各个终端设备的密钥、 识别码和终端设备中一个或多个应用程序的标识信息通过所述基于单向 函数的算法生成各个终端设备对应的加密结果。
第三方面, 本发明的实施例提供一种终端设备, 包括:
信息提取模块, 用于获取密钥、 所述终端设备的识别码和所述终端设 备中一个或多个应用程序的标识信息,所述终端设备中的不同应用程序的 标识信息互不相同, 所述终端设备的识别码包括: 国际移动设备识别码
( IMEI ) 和 /或国际移动用户识别码 ( IMSI );
加密模块,用于针对所述一个或多个应用程序中的应用程序的标识信 息, 利用所述密钥和所述终端设备的识别码, 通过预设的加密算法生成与 所述应用程序相对应的加密结果,所述加密结果用于表示所述终端设备在 接入网络和进行接入网络的识别认证时所需的信息;
通信模块, 用于当所述终端设备运行所述应用程序时, 利用所述与所 述应用程序相对应的加密结果接入网络。 结合第三方面, 在第三方面的第一种可能的实现方式中, 所述通信模 块还用于将所述密钥、所述终端设备的识别码和所述终端设备中一个或多 个应用程序的标识信息上 ^艮至所述网络端,所述网络端包括网络设备或网 络端服务器。 结合第三方面, 在第三方面的第二种可能的实现方式中, 所述加密模 块具体用于针对一个应用程序的标识信息,利用所述密钥和所述终端设备 的识别码,通过基于单向函数的算法生成与这一个应用程序相对应的加密 结果。
第四方面, 本发明的实施例提供一种网络设备, 包括:
接收模块, 用于获取未知的终端设备接入网络时使用的原始加密结 果,所述原始加密结果是由所述未知的终端设备针对所述未知的终端设备 中的应用程序的标识信息,利用所述未知的终端设备的密钥和识别码生成 的,所述原始加密结果用于表示所述终端设备在接入网络和进行接入网络
的识另 'J认证时所需的信息; 备的安全信息生成各个终端设备对应的加密结果,所述安全信息包括了生 成各个终端设备对应的加密结果时所需的参数;
识别模块, 用于如果在所述网络设备所生成的加密结果中, 有终端设 备对应的加密结果与所述原始加密结果相同,则确定该终端设备为所述未 知的终端设备。 结合第四方面, 在第四方面的第一种可能的实现方式中, 上报给所述 网络设备的终端设备的安全信息包括密钥、 识别码、 预设的加密算法和所 述终端设备中一个或多个应用程序的标识信息,所述终端设备的识别码包 括: 所述终端设备的国际移动设备识别码 ( IME I ) 和 /或国际移动用户识 别码 ( IMS I );
所述处理模块具体用于利用各个终端设备的密钥、识别码和终端设备 中一个或多个应用程序的标识信息通过基于单向函数的算法生成各个终 端设备对应的加密结果。 本发明实施例提供的提高信息安全性的方法、 终端设备及网络设备, 终端设备, 能够生成对应于各个应用程序的加密结果, 并且终端设备运行 的一个应用程序接入网络时所使用的加密结果与另一个应用程序接入网 络时所使用的加密结果不相同,使得终端设备在运行不同的应用程序时向 网络端发送的用于标识终端设备的信息都不相同。 相对于现有技术, 由于 同,使得网络端难以利用同一个终端设备运行不同应用程序的通信记录的 交叉分析出用户的行为轮廓,避免了网络端的设备推导出用户的真实身份 信息, 防止了用户的真实身份信息被泄露, 从而保护用户的个人隐私。 附图说明
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例中所 需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本 发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动 的前提下, 还可以根据这些附图获得其它的附图。
图 1为本发明实施例提供的一种提高信息安全性的方法的一种流程 图;
图 2为本发明实施例提供的一种提高信息安全性的方法的另一种流程 图;
图 3为本发明实施例提供的另一种提高信息安全性的方法的流程图; 图 4为本发明实施例提供的终端设备的一种结构示意图;
图 5为本发明实施例提供的一种网络设备的结构示意图;
图 6为本发明实施例提供的一种计算节点的结构示意图;
图 7为本发明实施例提供的一种存储节点的结构示意图。
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进 行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。基于本发明中的实施例, 本领域普通技术人员在没 有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的 范围。
本发明实施例提供一种提高信息安全性的方法, 如图 1所示, 包括: 101 , 终端设备获取密钥、 所述终端设备的识别码和所述终端设备中 一个或多个应用程序的标识信息。
其中, 终端设备中的不同应用程序的标识信息互不相同, 终端设备的 识别码可以包括: IMEI ( International Mobile Equipment Identity , 国际 移动设备识别码 )和 /或 IMSI ( International Mobile Subscriber Identity , 国 际移动用户识别码;)。
在本实施例中,终端设备所对应的密钥可以是在终端设备上电后自动
生成的密钥, 也可以是有用户输入或其他设备发送的密钥。 应用程序的标 识信息可以是应用程序的 Package Name、 应用程序携带的证书信息、 应用 程序携带的证书信息中主体密钥或者证书中的签名和 /或应用程序的 UID ( User Identification, 用户身份证明) 等信息。
102 , 针对所述一个或多个应用程序中的应用程序的标识信息, 利用 所述密钥和所述终端设备的识别码,通过预设的加密算法生成与所述应用 程序相对应的加密结果。
其中,加密结果用于表示终端设备在接入网络和进行接入网络的识别 认证时所需的信息。
需要说明的是, 在本实施例中, 网络端包括了可以通过网络与终端设 备进行数据交互的设备, 比如基站、 网关、 数据服务器等。 并且在实际应 用中, 终端设备可以向网络端发送用于标识终端设备的信息, 比如: 安装 在智能手机上的 APP ( Application, 第三方应用程序) 可以利用搭载于智 能手机的操作系统提供的 API ( Application Programming Interface,应用程 序编程接口 )读取智能手机的设备信息, 当 APP在运行的过程中行使在线 功能或是需要与网络端进行数据交互时,即可将设备信息作为用于标识智 能手机的信息导入带传输的数据块中并通过智能手机的通信模块将数据 块发送至网络端, 从而将用于标识终端设备的信息发送至网络端。 以便于 网络端的服务器, 比如: APP提供商的服务器, 可以根据用于标识终端设 备的信息实现终端设备在网络上的注册,从而保证终端设备可以稳定的通 过各个应用程序与服务器之间的接口与网络端的服务器进行通信。
在本实施例中, 预设的加密算法也可以是一种普通的函数算法, 比如 终端设备可以对参与加密计算的各个参数进行权值计算,并获取一个权值 计算结果, 再将权值计算结果通过进制转换技术转换为与 IMEI或 IMSI具 有相同形式的字符串代码, 再从中截取与 IMEI或 IM S I长度相同的代码作 为加密结果;
预设的加密算法也可以是基于单向函数的算法比如: HASH函数。 并
且, 所生成的加密结果对应于终端设备中的应用程序。 例如: 终端设备生成加密结果的方式可以是: V=HASH(APP_INFO Θ Value θ Κ)
其中, ΑΡΡ— INFO表示应用程序的标识信息; V表示加密结果; HASH 表示的是一种单向函数,在实际应用可以表现为多种函数形式,比如 MD5、 SHA-1等。 由于单向函数具有的单向性的特性, 因此^ ί艮难对加密计算后的 结果进行逆运算、 逆向分析等可以用于破解计算的手段, 因此利用具有的 单向性的函数进行加密计算可以提高信息加密的安全性。 Value表示终端 设备的识别码; K表示终端设备生成的密钥; ④表示一种本领域技术人员 所熟知的逻辑运算方式, 比如可以表示字符串连接、 按位异或、 叠加运算 等。需要说明的是④表示的是预设的加密算法中各个参数的具体逻辑运算 方式, 在本实施例的实际应用中, 表示逻辑运算方式的符号也可以是 Q、 ®、 ®等自定义的符号,也可以是本领域中常用的逻辑运算符号, 比如 @、
&等, 即表示的是预设的加密算法中各个参数的具体逻辑运算方式的符号 并不限于④。
103 , 当所述终端设备运行所述应用程序时, 利用所述与所述应用程 序相对应的加密结果接入网络。
其中,终端设备在运行一个应用程序时所利用接入网络的加密结果与 终端设备在运行另一个应用程序时所利用接入网络的加密结果不相同。
IMEI和 IMSI在实际应用中是以字符串的形式存储、 传输的, 终端设 备将识别码上报给网络端后,网络端在接收到后可以利用识别码在服务器 上对终端设备进行注册、 记录等具体的应用流程。
在本实施例中, 终端设备可以利用加密结果作为实际应用的识别码, 并以此加密结果接入网络。 例如:
终端设备可以得到加密结果 V , V在终端设备中也是以字符串的形式 保存的。 则终端设备可以用 V代替识别码上报给网络端, 使得网络段将终 端设备上报的 V作为用于识别终端设备的字符串, 从而实现终端设备利用
V接入网络。 需要说明的是, 终端设备在实际应用中所上报的其实是一段 用于识别终端设备的字符串, 因此可以釆用与上 JMEI、 IMSI相同的方 式向网络端发送加密结果 V; 而网络端在实际应用中所处理的其实也是一 段用于识别终端设备的字符串, 因此网络端在接收到了 V后, 可以釆用与 处理 IMEI、 IMSI相同的方式处理 V, 从而实现终端设备利用加密结果 V接 入网络。
需要说明的是,终端设备在运行不同的应用程序时所利用接入网络的 加密结果也不相同, 例如: 终端设备在运行应用程序 A, 并且在使用应用 程序 A的在线功能时, 可以利用与应用程序 A相对应的加密结果 VA接入网 络; 在运行应用程序 B , 并且在使用应用程序 B的在线功能时, 可以利用 与应用程序 B相对应的加密结果 VB接入网络; 在运行应用程序 C , 并且在 使用应用程序 C的在线功能时, 可以利用与应用程序 C相对应的加密结果 Vc接入网络; 并且在本实施例中, VA、 VB和 Vc互不相同。
本发明实施例提供的提高信息安全性的方法,终端设备能够生成对应 于各个应用程序的加密结果,并且终端设备运行的一个应用程序接入网络 时所使用的加密结果与另一个应用程序接入网络时所使用的加密结果不 端设备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同的应 用程序时所利用的用于标识终端设备的信息不同,使得网络端难以利用同 一个终端设备运行不同应用程序的通信记录的交叉分析出用户的行为轮 廓, 避免了网络端的设备推导出用户的真实身份信息, 防止了用户的真实 身份信息被泄露, 从而保护用户的个人隐私。
可选的, 本实施例还提供一种提高信息安全性的方法, 如图 2所示, 包括:
201 , 终端设备获取密钥、 所述终端设备的识别码和所述终端设备中
一个或多个应用程序的标识信息。
其中, 终端设备中的不同应用程序所对应的标识信息互不相同。 可选 的, 终端设备也可以获取每一个应用程序的标识信息。
在本实施例中,应用程序的标识信息可以是本领域技术人员所熟知的 应用程序的 Package Name、 应用程序携带的证书信息、 应用程序携带的证 书信息中主体密钥或者证书中的签名和 /或应用程序的 UID等信息。并且终 端设备中不同的应用程序的标识信息是互不相同。 比如: 如本领域技术人 员所熟知的, 终端设备中的任意二个应用程序的 Package Name、 UID、 证 书信息等都是互不相同的。
202 , 针对所述一个或多个应用程序中的应用程序的标识信息, 利用 所述密钥和所述终端设备的识别码,通过预设的加密算法生成与所述应用 程序相对应的加密结果。
例如: 终端设备生成加密结果的方式可以是: V=HASH(APP_INFO Θ Value Θ Ι Θ Κ)
其中, I表示预设的固定值, 终端设备不论运行哪一个应用程序都使 用相同的固定值, 比如: 1=1 , 则终端设备生成加密结果的方式就是: V=HASH(APP_INFO θ Value θ 1 Θ Κ)„
或者, 也可以是终端设备中的每一个应用程序都对应了一个固定值, 不同应用程序所对应的固定值互不相同, 比如: 应用程序 Α对应固定值 0 , 应用程序 B对应固定值 1 , 应用程序 C对应固定值 2 , 终端设备可以生成应 用程序 A所对应的加密结果 VA=HASH(APP— INFO Θ Value④ 0④ K) ,应用程 序 Β所对应的加密结果 VB=HASH(APP— INFO④ Value ® 1 Φ Κ) , 应用程序 C 所对应的加密结果 VC=HASH(APP— INFO Θ Value Θ 2 Θ Κ)„
需要说明的是, 在实际应用中, 终端设备上报给网络端的 IMEI、 IMSI 等识别码往往是 15位的十进制数,而具体在终端设备中则是以二进制数的 形式进行存储,比如可以将 15位的十进制数转换为指定长度的二进制字符 串进行存储, 比如 45位的二进制字符串。 在本实施例中, 当终端设备所获
取的加密结果的字符串长度大于指定长度时,则终端设备可以从加密结果 中截取指定长度的二进制字符串, 比如 45位, 并将所获取的指定长度的二 进制字符串转换为 15位的十进制数,再将这 15位的十进制数作为用于识别 终端设备的字符串上报给网络端。
203 , 将所述密钥、 所述终端设备的识别码和所述终端设备中一个或 多个应用程序的标识信息上报至所述网络端。
其中, 网络端包括网络设备或网络端服务器。
其中, 终端设备在获取了终端设备的密钥、 识别码和应用程序的标识 信息后即可执行 203 , 即 203可以与 202同时执行, 或是 203也可以再 202之 后执行。
在本实施例中, 终端设备在确定了密钥、 终端设备的识别码和终端设 备中的应用程序的标识信息后,可以将这些信息作为安全信息上报至网络 端,网络端可以将终端设备上报的安全信息存储在能够保证信息安全的存 储设备中, 例如: 网络端可以将终端设备上报的安全信息存储在可信度较 高的, 或是在获得正式授权前无法随意访问的第三方数据库中, 比如: 网 络监管部门的数据库、 运营商的备份数据库等。
204 , 当所述终端设备运行所述应用程序时, 利用所述与所述应用程 序相对应的加密结果接入网络。
例如: 终端设备在运行应用程序 A , 并且在使用应用程序 A的在线功 能时, 可以利用与应用程序 A相对应的加密结果 VA接入网络; 在运行应用 程序 B , 并且在使用应用程序 B的在线功能时, 可以利用与应用程序 B相对 应的加密结果 VB接入网络; 在运行应用程序 C , 并且在使用应用程序 C的 在线功能时, 可以利用与应用程序 C相对应的加密结果 Vc接入网络; 并且 在本实施例中, VA、 VB和 Vc互不相同。
本发明实施例提供的提高信息安全性的方法,终端设备能够生成对应 于各个应用程序的加密结果,并且终端设备运行的一个应用程序接入网络 时所使用的加密结果与另一个应用程序接入网络时所使用的加密结果不
端设备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同的应 用程序时所利用的用于标识终端设备的信息不同,使得网络端难以利用同 一个终端设备运行不同应用程序的通信记录的交叉分析出用户的行为轮 廓, 避免了网络端的设备推导出用户的真实身份信息, 防止了用户的真实 身份信息被泄露, 从而保护用户的个人隐私。 本发明实施例还提供了另一种提高信息安全性的方法,可以用于一种 网络设备。 需要说明的是, 本实施例中的网络设备可以是在网络端中能够 与终端设备进行通信的一种设备,并且网络设备存储了至少二个终端设备 的安全信息,终端设备的安全信息包括所述终端设备上报给所述网络设备 的密钥、 识别码、 预设的加密算法和所述终端设备中一个或多个应用程序 的标识信息, 所述终端设备的识别码包括: 所述终端设备的国际移动设备 识别码 IMEI和 /或国际移动用户识别码 IMSI。如图 3所示,本方法可以包括:
301 , 所述网络设备获取未知的终端设备接入网络时使用的原始加密 结果。
其中,原始加密结果是由未知的终端设备针对未知的终端设备中的应 用程序的标识信息, 利用未知的终端设备的密钥和识别码生成的。 其中, 预设的加密算法为基于单向函数的算法,所述原始加密结果用于表示所述 终端设备在接入网络和进行接入网络的识别认证时所需的信息。
由本实施例中终端设备所执行的方案可知,终端设备接入网络时利用 的是终端设备进行加密计算所生成的结果,比如本实施例中未知的终端设 备接入网络时使用的原始加密结果, 而不是终端设备原有的 IMEI、 IMSL 当一个终端设备利用所生成的加密结果接入网络时,由于网络设备并未记 录这一个终端设备与这一个终端设备所生成的加密结果之间的对应关系, 因此网络设备无法识别出接入网络的这一个终端设备,这一个终端设备对 于网络设备而言也就是未知的终端设备。
信息生成各个终端设备对应的加密结果。
其中,安全信息包括了生成各个终端设备对应的加密结果时所需的参 数。 在本实施例中, 安全信息可以包括用于上报给所述网络设备的终端设 备的安全信息包括密钥、 识别码、预设的加密算法和所述终端设备中一个 或多个应用程序的标识信息, 所述终端设备的识别码包括: 所述终端设备 的国际移动设备识别码( IMEI )和/或国际移动用户识别码( IMSI )。 因此, 在本实施例中, 302可以具体实现为: 利用各个终端设备的密钥、 识别码 和终端设备中一个或多个应用程序的标识信息通过所述基于单向函数的 算法生成各个终端设备对应的加密结果。
由本实施例中终端设备所执行的方案可知,终端设备是利用终端设备 的密钥、 识别码和应用程序的标识信息等作为参数, 通过预设的加密算法 生成的加密结果, 并利用终端设备所生成的加密结果接入网络, 从而避免 了现有技术中直接利用终端设备的 IMEI、 IMSI接入网络。
在本实施例中,由于网络设备中所存储的安全信息中包括了各个终端 设备的密钥和预先设置的识别码等参数,并且也存储了各个终端设备生成 加密结果时所使用的预设的加密算法。因此网络设备可以依次利用所存储 的每一个终端设备所对应的安全信息生成各个终端设备对应的加密结果。
303 , 如果在所述网络设备所生成的加密结果中, 有终端设备对应的 加密结果与所述原始加密结果相同,则确定该终端设备为所述未知的终端 设备。
例如: 终端设备 1中安装有应用程序 a, 应用程序 b和应用程序 c , 其中 应用程序 a的标识信息为 APP— INFOa, 则终端设备在使用应用程序 a的在线 功能时可以向网络端发送加密结果 Va,且 Va =HASH(APP_INFOa Θ Value θ Ι Θ Κ);终端设备在使用应用程序 b的在线功能时可以向网络端发送加密结 果 Vb, 且 Vb =HASH(APP— INFOb④ Value ® I ® K); 终端设备在使用应用程 序 c的 在 线 功 能 时 可 以 向 网 络端 发送加 密 结 果 Vc , 且 Vc
=HASH(APP_INFOc Θ Value Θ Ι Θ Κ) 0 网络设备所存储的终端设备所对应 的安全信息中还可以包括 APP— INFOa 、 APP INFOb 和 APP— INFOc, 从而 网络设备可以生成与 Va、 Vb或 Vc相同的加密结果, 当未知的终端设备接入 网络时实际使用的原始加密结果与 Va、 Vb或 Vc中的任意一项相同时, 则可 以确定未知的终端设备为终端设备 1。
本发明实施例提供的提高信息安全性的方法,终端设备能够生成对应 于各个应用程序的加密结果,并且终端设备运行的一个应用程序接入网络 时所使用的加密结果与另一个应用程序接入网络时所使用的加密结果不 端设备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同的应 用程序时所利用的用于标识终端设备的信息不同,使得网络端难以利用同 一个终端设备运行不同应用程序的通信记录的交叉分析出用户的行为轮 廓。若需要从网络端根据终端设备发送的用于标识终端设备的信息溯源得 到正确的终端设备, 网络设备需要获取包括了终端设备的密钥比如密钥、 预先设置的识别码等参数的安全信息,并通过与终端设备相同的预设的加 密算法, 才能够正确识别出接入网络的终端设备, 使得网络端中不具备安 全信息的设备难以溯源得到正确的终端设备,从而避免了网络端的设备推 导出用户的真实身份信息, 防止了用户的真实身份信息被泄露, 从而保护 用户的个人隐私。
本发明实施例提供一种提高信息安全性的终端设备 40 , 如图 4所示, 终端设备 40可以包括:
信息提取模块 41 , 用于获取密钥、 所述终端设备的识别码和所述终端 设备中一个或多个应用程序的标识信息。
其中, 终端设备中的不同应用程序的标识信息互不相同, 终端设备的 识别码包括: 国际移动设备识别码 ( IMEI ) 和 /或国际移动用户识别码
( IMSI )。
加密模块 42 ,用于针对所述一个或多个应用程序中的应用程序的标识 信息, 利用所述密钥和所述终端设备的识别码, 通过预设的加密算法生成 与所述应用程序相对应的加密结果。
其中,加密结果用于表示所述终端设备在接入网络和进行接入网络的 识别认证时所需的信息。
可选的, 所述加密模块 42具体用于, 针对一个应用程序的标识信息, 利用所述密钥和所述终端设备的识别码,通过基于单向函数的算法生成与 这一个应用程序相对应的加密结果。
通信模块 43 , 用于当所述终端设备运行所述应用程序时, 利用所述与 所述应用程序相对应的加密结果接入网络。
可选的, 所述通信模块 43 , 还用于将所述密钥、 所述终端设备的识别 码和所述终端设备中一个或多个应用程序的标识信息上 4艮至所述网络端。
其中, 网络端包括网络设备或网络端服务器。
本发明实施例提供的提高信息安全性的终端设备,能够生成对应于各 个应用程序的加密结果,并且终端设备运行的一个应用程序接入网络时所 使用的加密结果与另一个应用程序接入网络时所使用的加密结果不相同, 备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同的应用程 序时所发送的用于标识终端设备的信息不同,使得网络端难以利用同一个 终端设备运行不同应用程序的通信记录的交叉分析出用户的行为轮廓,避 免了网络端的设备推导出用户的真实身份信息,防止了用户的真实身份信 息被泄露, 从而保护用户的个人隐私。
本发明实施例提供一种提高信息安全性的网络设备 50 , 如图 5所示, 可以包括:
接收模块 51 ,用于获取未知的终端设备接入网络时使用的原始加密结 果, 其中, 原始加密结果是由未知的终端设备针对未知的终端设备中的应 用程序的标识信息, 利用未知的终端设备的密钥和识别码生成的, 所述原 始加密结果用于表示所述终端设备在接入网络和进行接入网络的识别认 证时所需的信息。
需要说明的是,终端设备的安全信息包括所述终端设备上报给所述网 络设备的密钥、 识别码、预设的加密算法和所述终端设备中一个或多个应 用程序的标识信息, 所述终端设备的识别码包括: 所述终端设备的国际移 动设备识别码 IMEI和 /或国际移动用户识别码 IMSI。 设备的安全信息生成各个终端设备对应的加密结果,所述安全信息包括了 生成各个终端设备对应的加密结果时所需的参数。
识别模块 53 , 用于如果在所述网络设备所生成的加密结果中, 有终端 设备对应的加密结果与所述原始加密结果相同,则确定该终端设备为所述 未知的终端设备。
其中, 报给所述网络设备的终端设备的安全信息包括密钥、 识别码、 预设的加密算法和所述终端设备中一个或多个应用程序的标识信息,所述 终端设备的识别码包括: 所述终端设备的国际移动设备识别码 (IMEI ) 和 /或国际移动用户识别码 (IMSI )。
可选的, 所述处理模块 52具体用于, 利用各个终端设备的密钥、 识别 码和终端设备中一个或多个应用程序的标识信息通过基于单向函数的算 法生成各个终端设备对应的加密结果。
由于终端设备能够生成对应于各个应用程序的加密结果,并且终端设 备运行的一个应用程序接入网络时所使用的加密结果与另一个应用程序 接入网络时所使用的加密结果不相同,使得终端设备在运行不同的应用程 序时向网络端发送的用于标识终端设备的信息都不相同。 相对于现有技
信息不同,使得网络端难以利用同一个终端设备运行不同应用程序的通信 记录的交叉分析出用户的行为轮廓。本发明实施例提供的提高信息安全性 的网络设备,能够从网络端根据终端设备发送的用于标识终端设备的信息 溯源得到正确的终端设备, 由于网络设备获取了终端设备的密钥比如密 钥、 预先设置的识别码等参数的安全信息, 并通过与终端设备相同的预设 的加密算法, 才能够正确识别出接入网络的终端设备, 使得网络端中不具 备安全信息的设备难以溯源得到正确的终端设备 ,从而避免了网络端的设 备推导出用户的真实身份信息, 防止了用户的真实身份信息被泄露, 从而 保护用户的个人隐私。
本发明实施例还提供了一种计算节点 60 ,计算节点 60可以用于终端设 备, 如图 6所示, 计算节点 60包括: 第一处理器 61、 第一通信接口 62、 第 一存储器 63、 第一总线 64 , 所述第一处理器 61、 所述第一通信接口 62和所 述第一存储器 63、 通过所述第一总线 64完成相互间的通信, 所述第一存储 器 63用于存储所述计算节点 60在运行过程中需要存储的数据, 其中: 所述第一处理器 61 , 用于通过所述第一通信接口 62获取密钥、 所述终 端设备的识别码和所述终端设备中一个或多个应用程序的标识信息。
其中, 终端设备中的不同应用程序的标识信息互不相同, 终端设备的 识别码包括: 国际移动设备识别码 ( IMEI ) 和 /或国际移动用户识别码 ( IMSI )。
所述第一处理器 61 ,还用于针对所述一个或多个应用程序中的应用程 序的标识信息, 利用所述密钥和所述终端设备的识别码, 通过预设的加密 算法生成与所述应用程序相对应的加密结果。
其中,加密结果用于表示终端设备在接入网络和进行接入网络的识别 认证时所需的信息。
其中, 预设的加密算法可以为基于单向函数的算法。
所述第一处理器 61 , 还用于当所述终端设备运行所述应用程序时, 利 用所述与所述应用程序相对应的加密结果接入网络。
可选的, 所述第一处理器 61 , 还用于通过所述第一通信接口 62将所述 密钥、所述终端设备的识别码和所述终端设备中一个或多个应用程序的标 识信息上报至所述网络端, 所述网络端包括网络设备或网络端服务器。
所述第一处理器 61 , 具体用于针对一个应用程序的标识信息, 利用所 述密钥和所述终端设备的识别码,通过基于单向函数的算法生成与这一个 应用程序相对应的加密结果。
本发明实施例提供的提高信息安全性的计算节点,能够生成对应于各 个应用程序的加密结果,并且终端设备运行的一个应用程序接入网络时所 使用的加密结果与另一个应用程序接入网络时所使用的加密结果不相同, 备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同的应用程 序时所利用的用于标识终端设备的信息不同,使得网络端难以利用同一个 终端设备运行不同应用程序的通信记录的交叉分析出用户的行为轮廓,避 免了网络端的设备推导出用户的真实身份信息,防止了用户的真实身份信 息被泄露, 从而保护用户的个人隐私。 本发明实施例还提供了一种存储节点 70 ,计算节点 70可以用于网络设 备, 如图 7所示, 存储节点 70包括: 第二处理器 71、 第二通信接口 72、 第 二存储器 73、 第二总线 74 , 所述第二处理器 71、 所述第二通信接口 72和所 述第二存储器 73、 通过所述第二总线 74完成相互间的通信, 所述第二存储 器 73用于存储所述存储节点 70在运行过程中需要存储的数据, 其中:
所述第二存储器 73还用于, 存储终端设备上报的安全信息。
其中, 安全信息可以包括密钥、 识别码、 预设的加密算法和所述终端 设备中一个或多个应用程序的标识信息, 所述终端设备的识别码包括: 所 述终端设备的国际移动设备识别码 (IMEI ) 和 /或国际移动用户识别码
( IMSI )。
所述第二处理器 71 ,用于获取未知的终端设备接入网络时使用的原始 加密结果。
其中,原始加密结果是由未知的终端设备针对未知的终端设备中的应 用程序的标识信息, 利用未知的终端设备的密钥和识别码生成的, 原始加 密结果用于表示终端设备在接入网络和进行接入网络的识另 'J认证时所需 的信息。
所述第二处理器 71 ,还用于利用在所述第二存储器 73中所存储的各个 终端设备的安全信息生成各个终端设备对应的加密结果,所述安全信息包 括了生成各个终端设备对应的加密结果时所需的参数。
所述第二处理器 71 , 还用于如果在所述网络设备所生成的加密结果 中, 有终端设备对应的加密结果与所述原始加密结果相同, 则确定该终端 设备为所述未知的终端设备。
进一步的, 所述第二处理器 71 , 可以具体用于利用各个终端设备的密 钥、识别码和终端设备中一个或多个应用程序的标识信息通过基于单向函 数的算法生成各个终端设备对应的加密结果。
本发明实施例提供的提高信息安全性的存储节点,终端设备能够生成 对应于各个应用程序的加密结果,并且终端设备运行的一个应用程序接入 网络时所使用的加密结果与另一个应用程序接入网络时所使用的加密结 识终端设备的信息都不相同。 相对于现有技术, 由于终端设备在运行不同 的应用程序时所发送的用于标识终端设备的信息不同,使得网络端难以利 用同一个终端设备运行不同应用程序的通信记录的交叉分析出用户的行 为轮廓。若需要从网络端根据终端设备发送的用于标识终端设备的信 , ¾溯 源得到正确的终端设备,网络设备需要获取包括了终端设备的密钥比如密 钥、 预先设置的识别码等参数的安全信息, 并通过与终端设备相同的预设 的加密算法, 才能够正确识别出接入网络的终端设备, 使得网络端中不具
备安全信息的设备难以溯源得到正确的终端设备 ,从而避免了网络端的设 备推导出用户的真实身份信息, 防止了用户的真实身份信息被泄露, 从而 保护用户的个人隐私。
本说明书中的各个实施例均釆用递进的方式描述,各个实施例之间相 同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的 不同之处。 尤其, 对于设备实施例而言, 由于其基本相似于方法实施例, 所以描述得比较简单, 相关之处参见方法实施例的部分说明即可。
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分 流程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存 储于一计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法 的实施例的流程。 其中, 所述的存储介质可为磁碟、 光盘、 只读存储记忆 体 ( Read-Only Memory , ROM ) 或随机存^ I i己忆体 ( Random Access Memory, RAM ) 等。
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局 限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可 轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。 因此, 本发 明的保护范围应该以权利要求的保护范围为准。
Claims
1、 一种提高信息安全性的方法, 用于一种终端设备, 其特征在于, 包 括:
所述终端设备获取密钥、 所述终端设备的识别码和所述终端设备中一 个或多个应用程序的标识信息, 所述终端设备中的不同应用程序的标识信 息互不相同, 所述终端设备的识别码包括: 国际移动设备识别码 ( IME I ) 和 /或国际移动用户识别码 ( IMS I );
针对所述一个或多个应用程序中的应用程序的标识信息, 利用所述密 钥和所述终端设备的识别码, 通过预设的加密算法生成与所述应用程序相 对应的加密结果, 所述加密结果用于表示所述终端设备在接入网络和进行 接入网络的识另 'J认证时所需的信息;
当所述终端设备运行所述应用程序时, 利用所述与所述应用程序相对 应的加密结果接入网络。
2、 根据权利要求 1所述的提高信息安全性的方法, 其特征在于, 还包 括: 将所述密钥、 所述终端设备的识别码和所述终端设备中一个或多个应 用程序的标识信息上 4艮至所述网络端, 所述网络端包括网络设备或网络端 服务器。
3、 根据权利要求 1所述的提高信息安全性的方法, 其特征在于, 所述 预设的加密算法为基于单向函数的算法。
4、 一种提高信息安全性的方法, 用于一种网络设备, 其特征在于, 所 述方法包括:
所述网络设备获取未知的终端设备接入网络时使用的原始加密结果, 所述原始加密结果是由所述未知的终端设备针对所述未知的终端设备中的 应用程序的标识信息, 利用所述未知的终端设备的密钥和识别码生成的, 所述原始加密结果用于表示所述终端设备在接入网络和进行接入网络的识 别认证时所需的信息;
成各个终端设备对应的加密结果, 所述安全信息包括了生成各个终端设备 对应的加密结果时所需的参数;
如果在所述网络设备所生成的加密结果中, 有终端设备对应的加密结 果与所述原始加密结果相同, 则确定该终端设备为所述未知的终端设备。
5、 根据权利要求 4所述的提高信息安全性的方法, 其特征在于, 用于 上报给所述网络设备的终端设备的安全信息包括密钥、 识别码、 预设的加 密算法和所述终端设备中一个或多个应用程序的标识信息, 所述终端设备 的识别码包括: 所述终端设备的国际移动设备识别码( IME I )和 /或国际移 动用户识别码 ( IMS I ); 息生成各个终端设备对应的加密结果包括: 利用各个终端设备的密钥、 识 别码和终端设备中一个或多个应用程序的标识信息通过所述基于单向函数 的算法生成各个终端设备对应的加密结果。
6、 一种终端设备, 其特征在于, 包括:
信息提取模块, 用于获取密钥、 所述终端设备的识别码和所述终端设 备中一个或多个应用程序的标识信息, 所述终端设备中的不同应用程序的 标识信息互不相同, 所述终端设备的识别码包括: 国际移动设备识别码 ( IME I ) 和 /或国际移动用户识别码 ( IMS I );
加密模块, 用于针对所述一个或多个应用程序中的应用程序的标识信 息, 利用所述密钥和所述终端设备的识别码, 通过预设的加密算法生成与 所述应用程序相对应的加密结果, 所述加密结果用于表示所述终端设备在 接入网络和进行接入网络的识别认证时所需的信息;
通信模块, 用于当所述终端设备运行所述应用程序时, 利用所述与所 述应用程序相对应的加密结果接入网络。
7、 根据权利要求 6所述的终端设备, 其特征在于, 所述通信模块还用 于将所述密钥、 所述终端设备的识别码和所述终端设备中一个或多个应用 程序的标识信息上报至所述网络端, 所述网络端包括网络设备或网络端服
务器。
8、 根据权利要求 6所述的终端设备, 其特征在于, 所述加密模块具体 用于针对一个应用程序的标识信息, 利用所述密钥和所述终端设备的识另 'J 码, 通过基于单向函数的算法生成与这一个应用程序相对应的加密结果。
9、 一种网络设备, 其特征在于, 所述网络设备包括:
接收模块,用于获取未知的终端设备接入网络时使用的原始加密结果, 所述原始加密结果是由所述未知的终端设备针对所述未知的终端设备中的 应用程序的标识信息, 利用所述未知的终端设备的密钥和识别码生成的, 所述原始加密结果用于表示所述终端设备在接入网络和进行接入网络的识 别认证时所需的信息; 备的安全信息生成各个终端设备对应的加密结果, 所述安全信息包括了生 成各个终端设备对应的加密结果时所需的参数;
识别模块, 用于如果在所述网络设备所生成的加密结果中, 有终端设 备对应的加密结果与所述原始加密结果相同, 则确定该终端设备为所述未 知的终端设备。
1 0、 根据权利要求 9所述的网络设备, 其特征在于, 上报给所述网络设 备的终端设备的安全信息包括密钥、 识别码、 预设的加密算法和所述终端 设备中一个或多个应用程序的标识信息, 所述终端设备的识别码包括: 所 述终端设备的国际移动设备识别码 ( IME I ) 和 /或国际移动用户识别码
( IMS I );
所述处理模块具体用于利用各个终端设备的密钥、 识别码和终端设备 中一个或多个应用程序的标识信息通过基于单向函数的算法生成各个终端 设备对应的加密结果。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP14823804.1A EP2963958B1 (en) | 2013-07-08 | 2014-02-28 | Network device, terminal device and information security improving method |
US14/869,102 US9781109B2 (en) | 2013-07-08 | 2015-09-29 | Method, terminal device, and network device for improving information security |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310283912.X | 2013-07-08 | ||
CN201310283912.XA CN104283853B (zh) | 2013-07-08 | 2013-07-08 | 一种提高信息安全性的方法、终端设备及网络设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/869,102 Continuation US9781109B2 (en) | 2013-07-08 | 2015-09-29 | Method, terminal device, and network device for improving information security |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015003503A1 true WO2015003503A1 (zh) | 2015-01-15 |
Family
ID=52258338
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2014/072755 WO2015003503A1 (zh) | 2013-07-08 | 2014-02-28 | 一种提高信息安全性的方法、终端设备及网络设备 |
Country Status (4)
Country | Link |
---|---|
US (1) | US9781109B2 (zh) |
EP (1) | EP2963958B1 (zh) |
CN (1) | CN104283853B (zh) |
WO (1) | WO2015003503A1 (zh) |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106559383B (zh) * | 2015-09-25 | 2019-06-25 | 北京国双科技有限公司 | 单点登录的登录方法及装置 |
CN105376733A (zh) * | 2015-09-30 | 2016-03-02 | 联想(北京)有限公司 | 信息处理方法及电子设备 |
CN105634141A (zh) * | 2016-03-30 | 2016-06-01 | 姜山 | 电力调控信息实时监控与安全预警移动传输系统及方法 |
CN105681039B (zh) * | 2016-04-15 | 2021-04-13 | 上海上讯信息技术股份有限公司 | 用于生成密钥及对应解密的方法和设备 |
CN106096424B (zh) * | 2016-06-01 | 2019-03-12 | 联动优势电子商务有限公司 | 一种对本地数据进行加密方法和终端 |
CN107889093A (zh) * | 2016-09-29 | 2018-04-06 | 北京京东尚科信息技术有限公司 | 管理移动终端的应用的方法和装置 |
CN106506159A (zh) * | 2016-11-18 | 2017-03-15 | 上海艾讯云计算有限公司 | 用于密钥安全的加密方法和设备 |
CN108469986B (zh) * | 2017-02-23 | 2021-04-09 | 华为技术有限公司 | 一种数据迁移方法及装置 |
CN107911364B (zh) * | 2017-11-16 | 2018-09-11 | 国网山东省电力公司 | 一种基于指纹识别缓存的认证系统 |
US11734689B2 (en) * | 2017-12-11 | 2023-08-22 | Jpmorgan Chase Bank, N.A. | Methods for improving identification threat protection and devices thereof |
CN109981804A (zh) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团安徽有限公司 | 终端设备识别id的生成、识别方法、系统、设备及介质 |
CN111132163B (zh) * | 2019-12-28 | 2022-11-04 | 飞天诚信科技股份有限公司 | 一种无线安全设备与应用程序的认证方法和系统 |
CN111783169B (zh) * | 2020-07-09 | 2024-05-24 | 深圳市欢太科技有限公司 | 设备唯一识别码确定方法、装置、终端设备及存储介质 |
CN114630314B (zh) * | 2020-12-10 | 2023-09-05 | 中移(苏州)软件技术有限公司 | 终端信息库的更新方法、装置、设备及存储介质 |
CN113938878A (zh) * | 2021-10-15 | 2022-01-14 | 维沃移动通信有限公司 | 一种设备标识符防伪造方法、装置和电子设备 |
CN114374545B (zh) * | 2021-12-21 | 2024-05-14 | 北京北信源软件股份有限公司 | 防止消息泄露的方法、服务器、装置和电子设备 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101516090A (zh) * | 2008-02-20 | 2009-08-26 | 华为技术有限公司 | 网络认证通信方法及网状网络系统 |
CN103095457A (zh) * | 2013-01-11 | 2013-05-08 | 广东欧珀移动通信有限公司 | 一种应用程序的登录、验证方法 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004062243A2 (en) | 2002-12-31 | 2004-07-22 | Motorola, Inc, A Corporation Of The State Of Delaware | System and method for distributed authorization for access to communications device |
KR100680177B1 (ko) * | 2004-12-30 | 2007-02-08 | 삼성전자주식회사 | 홈 네트워크 외부에서 사용자를 인증하는 방법 |
US20090305667A1 (en) * | 2007-04-24 | 2009-12-10 | Schultz Michael J | Method and system for mobile identity verification and security |
US8626115B2 (en) * | 2009-01-28 | 2014-01-07 | Headwater Partners I Llc | Wireless network service interfaces |
US9065908B2 (en) * | 2010-02-12 | 2015-06-23 | Broadcom Corporation | Method and system for ensuring user and/or device anonymity for location based services (LBS) |
CN101959183B (zh) | 2010-09-21 | 2013-01-23 | 中国科学院软件研究所 | 一种基于假名的移动用户标识码imsi保护方法 |
US8369834B2 (en) * | 2010-09-24 | 2013-02-05 | Verizon Patent And Licensing Inc. | User device identification using a pseudo device identifier |
US9225532B2 (en) * | 2010-12-06 | 2015-12-29 | Verizon Patent And Licensing Inc. | Method and system for providing registration of an application instance |
US8862888B2 (en) * | 2012-01-11 | 2014-10-14 | King Saud University | Systems and methods for three-factor authentication |
WO2013159110A1 (en) * | 2012-04-20 | 2013-10-24 | Conductiv Software, Inc. | Multi-factor mobile transaction authentication |
US9130919B2 (en) * | 2012-10-15 | 2015-09-08 | Verizon Patent And Licensing Inc. | Hosted IMS instance with authentication framework for network-based applications |
US9143492B2 (en) * | 2013-03-15 | 2015-09-22 | Fortinet, Inc. | Soft token system |
-
2013
- 2013-07-08 CN CN201310283912.XA patent/CN104283853B/zh active Active
-
2014
- 2014-02-28 WO PCT/CN2014/072755 patent/WO2015003503A1/zh active Application Filing
- 2014-02-28 EP EP14823804.1A patent/EP2963958B1/en active Active
-
2015
- 2015-09-29 US US14/869,102 patent/US9781109B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101516090A (zh) * | 2008-02-20 | 2009-08-26 | 华为技术有限公司 | 网络认证通信方法及网状网络系统 |
CN103095457A (zh) * | 2013-01-11 | 2013-05-08 | 广东欧珀移动通信有限公司 | 一种应用程序的登录、验证方法 |
Also Published As
Publication number | Publication date |
---|---|
US9781109B2 (en) | 2017-10-03 |
EP2963958A4 (en) | 2016-06-08 |
EP2963958A1 (en) | 2016-01-06 |
EP2963958B1 (en) | 2019-12-18 |
CN104283853B (zh) | 2018-04-10 |
US20160021111A1 (en) | 2016-01-21 |
CN104283853A (zh) | 2015-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015003503A1 (zh) | 一种提高信息安全性的方法、终端设备及网络设备 | |
WO2021120862A1 (zh) | 一种私有数据保护方法和系统 | |
Yang et al. | Provable data possession of resource-constrained mobile devices in cloud computing | |
US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
CN110401615B (zh) | 一种身份认证方法、装置、设备、系统及可读存储介质 | |
US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
CN113691502B (zh) | 通信方法、装置、网关服务器、客户端及存储介质 | |
CN105553951A (zh) | 数据传输方法和装置 | |
CN107612889B (zh) | 防止用户信息泄露的方法 | |
CN104836784B (zh) | 一种信息处理方法、客户端和服务器 | |
CN105447715A (zh) | 用于与第三方合作的防盗刷电子优惠券的方法和装置 | |
US10439809B2 (en) | Method and apparatus for managing application identifier | |
CN109962777A (zh) | 许可区块链系统中的密钥生成、获取密钥的方法及设备 | |
CN107094156A (zh) | 一种基于p2p模式的安全通信方法及系统 | |
CN102404337A (zh) | 数据加密方法和装置 | |
Chen et al. | A full lifecycle authentication scheme for large-scale smart IoT applications | |
KR101358375B1 (ko) | 스미싱 방지를 위한 문자메시지 보안 시스템 및 방법 | |
CN109495458A (zh) | 一种数据传输的方法、系统及相关组件 | |
CN109451504B (zh) | 物联网模组鉴权方法及系统 | |
CN113434474A (zh) | 基于联邦学习的流量审计方法、设备、存储介质 | |
CN106257859A (zh) | 一种密码使用方法 | |
CN112995096B (zh) | 数据加密、解密方法、装置及设备 | |
CN106537962B (zh) | 无线网络配置、接入和访问方法、装置及设备 | |
KR101329789B1 (ko) | 모바일 디바이스의 데이터베이스 암호화 방법 | |
CN106506476B (zh) | 安全修改设备信息的方法和系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14823804 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2014823804 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |